NIST Cybersecurity Framework – What it is and How it Compares to MITRE ATT&CK
The final publication date of the most significant update yet to NIST’s Cybersecurity Framework (NIST CSF 2.0) is on the horizon. Whether you are only hearing about the NIST CSF in light of the upcoming changes or you’re seeking more clarity on why the framework might be useful for your business, this article gives you a simple breakdown of exactly what the framework is.
What is NIST CSF?
The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a set of voluntary guidelines, best practices and standards designed to help organizations manage and reduce cybersecurity risks. The framework gives a structure to help align policy, business and technological approaches to address cyber risks.
NIST published the first version in February 2014 as a response to a presidential Executive Order by Barack Obama that called for developing a voluntary framework to help critical infrastructure organizations manage and reduce their cybersecurity risks. This need for a framework arose due to repeated cyber intrusions into critical infrastructure by state-sponsored and other sophisticated hackers.
Over time, it became clear that the framework’s focus on managing cyber risks in critical infrastructure was applicable to and useful for a far wider variety of organizations. The wide applicability was built into NIST CSF from the outset, focusing on adaptability and scalability.
NIST CSF: A Simple Breakdown into 3 Parts
NIST CSF Core
Here’s a brief breakdown of the framework’s core:
- Functions: The backbone of the framework; core functions provide a high-level view of the lifecycle of managing cybersecurity risks. There were five functions, but NIST CSF 2.0 introduces a new Governance function to make a total of six.
- Categories: Within each function, categories are groups of cybersecurity outcomes closely tied to specific activities. For example, the Protect function includes Identity Management and Access Control and Awareness and Training.
- Subcategories: These break down categories into specific objectives to give more detailed guidance on technical or management activities. For example, in Awareness and Training, one subcategory is “privileged users understand their roles and responsibilities.”
- Informative reference: These are reference examples of existing standards, guidelines and practices for each Subcategory. Continuing the previous example, informative references for privileged users understanding roles and responsibilities include ISO/IEC 27001:2013 and NIST SP 800-53.
Implementation Tiers
These tiers help gauge where your company is on its approach to managing cybersecurity risk:
- Tier 1 (Partial): Basic cybersecurity hygiene.
- Tier 2 (Risk-Informed): Risk management processes are approved but not consistently applied.
- Tier 3 (Repeatable): Regularly updated risk management practices.
- Tier 4 (Adaptive): Advanced cybersecurity practices that adapt to evolving threats.
Profiles
Profiles help organizations align their cybersecurity activities with their business requirements, risk tolerances and resources. They are essentially a snapshot of your current cybersecurity activities and a roadmap to a desired state.
Benefits of Adopting NIST CSF
- NIST CSF improves cyber risk management with a structured methodology for identifying, assessing and managing cybersecurity risks.
- The framework facilitates aligning and integrating cybersecurity strategies with wider business objectives rather than seeing security as an afterthought (only 36% of organizations say cybersecurity is involved right from the planning stage of a new business initiative).
- By highlighting critical areas of cybersecurity, NIST CSF helps you make more informed decisions about where to allocate resources for maximum impact.
- The framework provides a common language for internal and external stakeholders (including customers, regulators and partners) to understand an organization’s cybersecurity practices.
- Supports compliance efforts with various regulatory requirements and industry standards because it encompasses a wide range of security best practices.
- NIST CSF encourages ongoing assessment and improvement to make your organization more adaptive and resilient in managing cyber risks.
MITRE ATT&CK vs. NIST CSF
Another helpful way to grasp the role of NIST CSF is to contrast it with another popular security framework, the MITRE ATT&CK Matrix. With a publication date not long after NIST CSF (in 2015), MITRE initially developed the ATT&CK framework to document and categorize the tactics and techniques observed in real-world cyberattacks. Here’s how these popular frameworks differ from and ultimately complement each other.
Purpose
NIST CSF is a strategic, risk-based framework designed to help organizations manage their cybersecurity posture. The CSF provides a high-level, strategic view of an organization’s approach to cybersecurity that focuses on understanding, managing and reducing risk. On the other hand, MITRE ATT&CK is a tactical, knowledge-based framework that focuses on understanding and defending against specific cyber threats.
Structure
MITRE ATT&CK is designed as a matrix of tactics (columns) and techniques (rows) used by threat actors. The tactics include Initial Access, Persistence and Privilege Escalation. With several techniques listed per tactic, clicking the link for a given technique brings you to a page that reveals more info on that technique, including detection and mitigation tips.
The structure of NIST CSF is a core of critical cybersecurity functions, each representing a specific aspect of managing and mitigating cybersecurity risk. Functions include Identify, Protect and Detect. Each function includes categories and subcategories that provide a more detailed breakdown of outcomes and objectives that help achieve the high-level aims of core functions.
Approach
In terms of approaches, NIST CSF emphasizes identifying and understanding the range of risks organizations face, and then managing these risks with a set of practices that align with the organization’s objectives. This risk-based approach is all about mitigating risks to an acceptable level rather than eliminating all possible threats.
MITRE ATT&CK instead focuses on what adversaries do, which can help companies develop more effective defense and detection strategies. The adversary-based approach provides a granular view of potential attack methods that can help inform both reactive and proactive defenses.
Uses
NIST CSF helps align cybersecurity practices with business requirements, risk tolerances and resources. Its audience of potential users expands beyond the IT security department to include executives and managers who need to understand and manage cybersecurity risk in alignment with organizational goals and business practices.
The MITRE ATT&CK Matrix helps understand the specific methods used by attackers and develop effective detection and defense strategies. Security analysts, red teams and researchers can gain a detailed, tactical understanding of threats from ATT&CK, but a non-technical audience may have little use for the framework.
Both frameworks are complementary; there is not necessarily an either-or choice here. The NIST CSF helps shape and guide your organization’s overall cybersecurity strategy, while the MITRE ATT&CK framework assists in understanding and defending against specific types of threats and attack methods. It might be worth starting with CSF, though, if you need a more general cybersecurity framework, then incorporating ATT&CK for a deeper understanding of threats.
Get More Specific Cyber Guidance
Frameworks like NIST CSF are helpful for providing a basic structure to your cybersecurity program. But even after adopting CSF, there inevitably comes a point where you need to know what to do next with your cybersecurity program to use limited security resources and identify gaps effectively.
Nuspire’s security posture assessment helps you gauge how mature your security controls are based on industry-specific threats. You’ll also get a gap analysis and recommendations on remediation.
